Two recent studies show that if organizations simply focused on IT
security basics, they'd make great strides in reducing their risk of
embarrassing, avoidable and often costly data breaches.

Security firm Imperva examined attack trends across 40 applications and
monitored millions of attacks that targeted web applications for the
six-month period spanning June through November of last year. The firm
found that attackers like to target five relatively common application
vulnerabilities: remote file inclusion, SQL injection, local file
inclusion, cross site scripting and directory traversal attacks. The
majority of these attack vectors have been significant problems for
years.

Rafal Los, chief security evangelist, HP Software Worldwide, says the
industry's inability to rid itself of lingering and well-understood
software vulnerabilities isn't a problem due to lack of technology.
"It's now a behavioral problem. Development organizations have more
resources than ever to create a rational, security-infused software
development lifecycle (SDLC) which doesn't 'bolt-on' security at the
very last stages," says Los. "Until security becomes a fundamental
business objective, the behaviors that today lead to things like SQL
injection will continue. We need to "hack" the business relationship -
from there I firmly believe things will finally start to get better."

However, many (perhaps most) breaches aren't necessarily due to attacks
against software applications -- as trivial as they are for most
cyber-criminals. A survey of 500 IT professionals (who primarily report
directly or indirectly to the CIO or the CISO) found that 60 percent of
respondents report that customer data that was lost or stolen was not
even encrypted. Also, the most common types of data breaches include
email at 70 percent, credit card or bank payment information, 45
percent, and social security numbers at 33 percent. Also, not
surprising, when organizations were actually able to determine the cause
of a breach -- the most common culprit was the negligent insider at 34
percent, while 19 percent say it was the outsourcing of data to a third
party and 16 percent saying a malicious insider was the main cause.